NotPetya — 'Ransomware' That Spreads like a Worm

Barely out of the woods with WannaCry, another global ransomware attack, a new variant of ‘Petya,’ began infecting organizations throughout Europe and into the Americas. Upon initial analysis and investigation, the attack was thought to be a variant of Petya ransomware, as the the threat actors behind the attack carefully designed it to look the same. However, upon further analysis, it was discovered that the main distribution and payment schemes were inconsistent with Petya.

NotPetya, as it turned out, was disseminated via the compromised software from MeDoc, a distributor of tax accounting software mandated by the Ukrainian government. Hackers seemed to have breached the firm’s computer systems and compromised a software update that was published to customers on June 22 -- leading the malware to spread to more than 12,000 systems throughout Europe and America. This new variant started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as ETERNALBLUE. The SMB exploit used in NotPetya, was in fact the same SMB exploit method used by the devastating WannaCry ransomware attack.

Once NotPetya infects a system, it establishes encryption routines and attempts to spread over the network. What makes NotPetya unique however, is that it attempts to extract cached user credentials from the original infected machine and propagates using WMIC. The other key difference between NotPetya and WannaCry is that while WannaCry used a killswitch domain, NotPetya doesn’t. Encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the internet.

What Makes ‘NotPetya’ Unique

Ransomware locks up files on infected machines and demands payment to retrieve the data. NotPetya differentiated itself from this through its unique encryption process. It presented a fake chkdsk page, which encrypts the hard disk master boot record if a privileges user executes it. From there, it schedules a task to restart the system and prompts the ransom note. If it is unable to execute the payload as a privileged user, it moves to encrypt the file types annotated below and writes a README.TXT ransom note.

Prior Petya campaigns operated on a single organized payment and decryption key distribution system accessed via the Tor network. By contrast, this particular attack relied upon a single email account for coordinating ransom payments and decryption keys. As a result, the email address was identified and deactivated early on, leading investigators to conclude it was unlikely that attackers intended it to remain operational throughout the campaign. Thus, these unique NotPetya techniques led many researchers to believe the true goals of the attack may have been disruption rather than monetary gain.

According to an open-source intelligence analysis by Infoblox, the campaign involved the following major actions:

Implanted trojan: Attackers disguised a trojan to appear as though it was a legitimate update for MeDoc software. Since MeDoc is one of the two tax accounting software vendors approved by the Ukrainian government for this work, the threat actors knew this software would be essential to the financial sector and companies doing business in Ukraine.

Watering-hole attack: Attackers often compromise a website or create a look-alike domain to function as a watering-hole attack where victims will visit without being lured. What made this attack so effective was the compromise of the software supply chain by compromising MeDoc and using their software update service to deliver the trojan. Because the update service was genuinely operated by the real vendor, updates would most likely have been trusted by the customer and automatically deployed.

Enhanced malware: Attackers enhanced the malware in order to harvest user credentials and use the capabilities inherent in the operation systems to move lateral and spread the malware.

Best Practices

Throughout recent months, ransomware has emerged as one of this year’s biggest threats. More than $1B was paid out to ransomware criminals in 2016 alone, and 2017 has seen a 6,000 percent increase in ransomware infected emails, compared to 2016. As attacks of this scale and ambiguity are likely to continue, organizations must adopt to certain best practices to stay protected and keep themselves and their customers safe.

Backup: Always backup essential data and test the restore procedures.

Timely Patches: Prioritize and apply security updates and patches. Since a known vulnerability in the Microsoft Server Message Block (SMB) was used in this attack, installing updates in the Microsoft March 2017 Security Bulletin will resolve the weakness. It is also recommended that SMB be disabled until the proper patches can be applied to the system. (How to Disable SMB)

Network Hygiene: Segment networks to limit the propagation of malware.

User Training: Train your employees to delete emails with attachments received from unknown senders, and to disable Microsoft Office document macros by default. It is also important to not allow documents to open additional files or execute macros without external confirmation (e.g. phone, in person, etc.) that the sender is valid.

High quality, curated-threat intelligence feeds: Using high quality curated threat intelligence that is fully up-to-date can protect users from unwanted DNS communications, all while maximizing DNS protection. In addition, using RPZ-based security capability integrated with DNS to detect and block communications to bad sites and command and control servers can help stop the spread of advanced malware and ransomware.

About the author: As Director of Cyber Intelligence for Infoblox, Sean Tierney leads the efforts to develop and refine threat data; delivered to customers as machine readable, actionable intelligence. His team collaborates with industry peers, Fortune 500 companies, and government agencies to identify emerging cybersecurity threats.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.